Alert Grouping

The CDC alert grouping mechanism groups alerts together into incidents (threats). This enables security analysts to have better context of the issues they need to handle, and perform faster analysis and reduce the investigation time for similar alerts - working only with incidents that gather alerts.

For example, let's assume that two alerts are generated in two minutes. The first alert comes from the EDR with information about malware on a host, and the second alert comes from the firewall with the same host communicating with a known C&C address. The CDC will then detect these two alerts and group them together into one incident.

As part of this change to grouping, analysts no longer work with alerts; the focus is on incidents.

Within the Incidents dashboard, you can get more informative information about all alerts attached to an incident.

When clicking on an alert, you can see the Alerts view within the Incident view. The alert list contains the following information for each alert:

• Score
• Severity
• Indication that a playbook is waiting for a user action.
• Indication that the alert was updated - the playbook finished running, update of raw data, update of observables, etc.

Note that you can also filter the alerts by creation time and/or by severity.

Notes:

• In the Incidents tab, you can see an alert's details. When hovering over the alert and opening it, a new window opens with additional information for the alert. Here you will also be able to see a Feed tab, which contains information written in the previous alert’s chat. Note that you will not be able to edit this tab.
• In each alert there is an indication if there is a playbook that is waiting for user action. When clicking on this, you will be transferred to the alert's Playbooks tab, where you can click on a specific playbook focusing on the stage that requires an action.
• You can detach alerts from incidents here. When doing so, you can add a reason for detaching the alert. This is written in the incident, alert chat, and timelines.
• Alerts are sorted by the creation time of the alert, with the newest alerts shown first.
• Alerts are highlighted to distinguish between read and unread alerts. Alerts attached to incidents will be indicated in bold.

SLA Based on Attached Alerts

Service Level Agreement (SLA) will now be based on alerts attached to an incident.

Service Level Agreement (SLA) will be measured based on the alerts contained in an incidents – meaning the time from the creation of the first alert in the incident until an analyst investigates the incident, which is indicated by taking ownership of it. SLA will stop when ownership is taken on an incident. SLA of the alert will stop as well.

Note that if an alert was detached from or attached to an incident, the SLA will be recalculated based on the alerts currently attached to the incident. The alert with the earliest SLA timeout will set the incident SLA timing from that alert's creation.

For example, if an incident was created with an attached alert with SLA for 2 hours, the incident SLA timeout will be in 2 hours. If after an hour another alert was attached with an SLA of 3 hours, the incident SLA will be calculated based on the first alert's timeout, which means that 1 hour remains.

Alert Events Attached by Rules During Grouping

When attaching an alert to an incident using grouping rules, you can now know which grouping rule wass used.

Once an alert is attached to an incident using the grouping rules mechanism, the following message will be added to the timeline for the alert and incident:
Alert attached alert name was attached to incident name based on rule rule with parameters: [list of parameters and values that feet the rule]

The message in the incident has a link to the alert (alert_name), and the message in the alert has a link to the incident (incident_name)
Only visible to team accounts

New Attached Alert or Updated Attached Alert Indication

You can now see when a new alert is attached to an incident or when an alert content was changed.
A new Alert Updated column will be added to the Incidents grid, related to alerts within this incident.

In the Incident grid, alerts in the alerts list are presented with the newest ones first.

The incident row becomes bolded when the value is changed.
The field presents a date/time stamp of the latest alert raw data changes, alert status changes, and when a new alert is attached/detached to an incident.

Change Incident Priority When Alert is Attached or Detached

The incident priority will now be automatically changed when an alert is attached or detached.
When an alert is attached to an incident and its severity is higher than the incident priority, the playbook will update the priority accordingly.

Present Number of Grouped Alerts from Incidents Grid

You can now see the number of alerts attached to an incident, when viewing the incident grid. This will give you an indication of the number of alerts attached to each incident.

A new Alerts column will be added to the Incidents grid, showing the number of alerts attached to a particular incident.

Notes:

• You can filter by the number of alerts.
• You can search by the number of the attached alert (using the Query Language/Advanced Search).

New Alerts Indication

In the Incidents grid, you can now see how many alerts were attached to an incident.
Once an alert is attached to an incident, it will be indicated as a number in superscript and is updated for each new alert.

Once you click on the incident, the number of the attached alerts will be the total. For example, 14+3 becomes 17 and is no longer bolded.

Presenting the Number of Grouped Alerts

You can now see the number of alerts attached to an incident, when viewing the incident grid. This will give you an indication of the number of alerts attached to each incident.

A new Alerts column will be added to the Incident grid, showing the number of alerts attached to a particular incident.

Notes:

• You can filter by the number of alerts.
• You can search by the number of the attached alert (using the Query Language/Advanced Search).